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Abstract 

Traditional password based authentication schemes are mostly considered in 
single server environments. They are unfitted for the multi-server environ- 
ments from two aspects. On the one hand, users need to register in each 
server and to store large sets of data, including identities and passwords. On 
the other hand, servers are required to store a verification table containing 
user identities and passwords. Recently, On the base on Sood et al.'s pro- 
tocol(2011), Li et al. proposed an improved dynamic identity based authen- 
tication and key agreement protocol for multi-server architecture(2012). Li 
et al. claims that the proposed scheme can make up the security weaknesses 
of Sood et al.'s protocol. Unfortunately, our further research shows that Li 
et al.'s protocol contains several drawbacks and can not resist some types of 
known attacks, such as replay attack, Deny-of-Service attack, internal attack, 
eavesdropping attack, masquerade attack, and so on. In this paper, we fur- 
ther propose a light dynamic pseudonym identity based authentication and 
key agreement protocol for multi-server architecture. In our scheme, service 
providing servers don't need to maintain verification tables for users. The 
proposed protocol provides not only the declared security features in Li et 
al.'s paper, but also some other security features, such as traceability and 
identity protection. 

Keywords: authentication and key agreement; dynamic pseudonym 
identity; multi-server architecture; hash function; smart card 
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1. Introduction 



With the rapid growth of modern computer networks, increasing numbers 
of systems contain a certain quantity of service providing servers around the 
world and provide services via the Internet. It's important to verify the 
legitimacy of a remote user in a public environment before he/she can ac- 
cess the service. But traditional password based authentication schemes are 
mostly considered in single server environments. They are unfitted for the 
multi-server environments from two aspects. On the one hand, users need to 
register in each server and to store large sets of data, including identities and 
passwords. On the other hand, servers are required to store a verification 
table containing user identities and passwords, [lj firstly proposed a re- 
mote authentication scheme using smart card based on Elgamal's public key 
cryptosystem[2j, which doesn't need to maintain verification tables. After 
that, numerous smart card based single-server authentication schemes using 
one-way hash functions had been proposed @, |, S, B 0, 1, 0]. However, it is 
still hard for a user to use different smart cards to login and access different 
remote servers. This is because users still need to remember numerous sets 
of identities and passwords. In order to resolve this problem, several schemes 
have been proposed to the study of authentication and key agreement in the 
multi-server environment (lol. [ill , [lil . 13 . 14 . 15 . 16 1, all of which claim not 
to store verification tables. Most of these schemes can be divided into three 
categories: hash-based, symmetric cryptosystem based and public-key cryp- 
tosystem based. Hash-based protocols are considered to be with the most 
efficiency 

Among these schemes, in 2009, Hsiang and Shih proposed a dynamic 
identity and one-way hash based remote user authentication protocol for 
multi-server architecture without a verification table [10|. However, in 2011, 
Sood et al. 11] pointed that Hsiang and Shih's protocol can not resist many 
types of security attacks, such as replay attack, impersonation attack and 
stolen smart card attack. Then Sood et al. proposed an improved scheme 
which is claimed to achieve user anonymity and resist different types of com- 



mon security attacks. Recently, in [16] , Li et al. found that Sood et al.'s 



protocol is still vulnerable to some types of known attacks, such as replay 
attack, stolen smart card attack and so on. Also the mutual authentication 
and key agreement phase of Sood et al.'s protocol can not be successfully 
finished within some specific scenes. Furthermore, in [l6j], they proposed an 
improved dynamic identity based authentication and key agreement protocol 
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for multi-server architecture, which is claimed to remove the aforementioned 
weaknesses of Sood et al.'s protocol. Unfortunately, our further research 
shows that Li et al.'s protocol contains several drawbacks and can not resist 
some types of known attacks, such as leak-of-verifier attack, stolen smart 
card attack, eavesdropping attack, replay attack, deny-of-service attack and 
forgery attack and so on. 

The rest of this paper is organized as follows: Section 2 gives the overview 
of Li et al.'s protocol; Section 3 points out the security weaknesses of the 
protocol in details. Section 4 gives our proposed protocol. Security and 
performance analysis of our proposed protocol are given in Section 5 and 
Section 6. At last, Section 7 presents the overall conclusion. 



Table 1: Notations used in Li et. al.'s paper 



Ui 


a user 




a service providing server 


cs 


the control server 


IDi 


the identity of Ui 


SID, 


the identity of Sj 


X 


the master secret key 


y 


the secret number 


b 


a random number chosen by the user for registration 


CID t 


the dynamic identity generated by U{ for authentication 


SK 


session key shared among the user, the server and CS 


N a , N i2 , N i3 


random numbers chosen by Ui, Sj and CS 


h(-) 


a one way hash function 


e 


the bitwise XOR operation 




the bitwise concatenation operation 



2. Overview of Li et al.'s protocol 

In this section, we give the overview of Li et al.'s proposed protocol, which 
is an enhanced scheme from Sood et al.'s protocol. We firstly summarize the 
notations used through out Li et al.'s paper in Table 1. Li et al.'s protocol 
involves 3 kinds of participants: users(taking Ui for example), service pro- 
viding servers(taking Sj for example), and the control server(CS'). CS is a 
trusted third party responsible for the registration and authentication of the 
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users and the service providing servers. CS chooses two security elements 
x and y.lia the registration phase, Sj obtains h(SIDj\\y) and h(x\\y) from 
CS via a secure channel. U randomly selects a number b, and computes 
Ai = h(b\\Pi). After the initialization and the registration phases, U can get 
a smart card from CS via a secure channel. The following elements, h(-), 
h(y) and b are stored in the smart card for the user Uf 

C i = h(ID i \\h(y)\\A i ) 

Di = Bi © h(IDi\\Ai) = h(IDi\\x) © /i(/A||A) (1) 
Ei = Bi® h{y\\x) = h(IDi\\x) © h(y\\x) 




Control Server 
CS 

Figure 1: Demonstration of Register, Authentication and key agreement phases of Li et 
al.'s protocol 

In UiS login phase, Ui inserts his smart card into a terminal and in- 
puts his identity IDi and password Pj, then computes A* = h(b\\Pi) and 
C* = h(I Di\\h(y)\\A*) . If C* is equal to the stored Cj, U is considered as 
a legitimate user. Else, the terminal rejects Ui's login request. After the 
verification, the authentication and key agreement phase takes place among 
Ui, Sj and CS, as depicted in Figure 1. We introduce them as follows: 
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Step 1: Ui -> {F,, G t , P t] , CIDi}. 

Ui computes Bi = Di® h{IDi\\Aj) and generates a random number 
Nn. Then U{ computes F iy Gi, Pij, CIDi as follows: 

Fi = h(y) © N a 

d = h(Bi\\Ai\\Nii) (] 
P ij = E i ®h(h{y)\\N iL \\SID j ) [ > 

CID i = A i ®h(B i \\FJ\N iX ) 

Then, Ui sends {Ft, Gi, P^, CIDi}to Sj over a public channel. 
Step 2: Sj -> CS: {F u G u P tj , CIDi, SIDj, K u M< }. 

After receiving the message from C/j, the server Sj randomly selects 
a number N i2 and computes Mi as follows: 

Mi = h(h(x\\y)\\N i2 ) [6) 

Then 5,. sends {F h G h P {j , CID h SIDj, K h M { } to CS over the 
public channel. 
Step 3: CS Sj: {Q„ K, T< } 

After receiving the message from Sj, CS gets N i2 = Ki®h(SIDj\\y) 
and M* = h(h(x\\y)\\Ni 2 ) . Then CS verifies whether M* is equal 
to the received M». If not, CS" terminates the session; Else, the 
legitimacy of Sj is verified by CS. After that, CS 1 computes the 
following elements: 

N a = Fi® h{y) 

B t = P^ © h(h(y)\\N a \\SIDj) ®h(y\\x) , . 

A i = CID i ®h{B i \\F i \\N il ) 1 ' 

G* = h(Bi\\Ai\\Nil) 

Then CS verifies whether G* is equal to the received Gi. If not, 
CS terminates the session; Else, the legitimacy of U is verified by 
CS. CS randomly selects a number N i3 , and computes the following 



1 In the description of [16(, except for sending the message, this step is included in the 
login step. 
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elements: 



Q i = N n ®N a ®h(SID j \\Nu) 
R i = h{A i \\B i )®h{N il ®N i2 ®N i3 ) () 
V i = h(h(A i \\B i )\\h(N il ®N i2 ®N i3 )) 1 } 

Ti = NaQNaQhiAiWBiWNrt) 

Then CS sends {Qi, Ri, V*, 7$ }to Sj over a public channel. 
Step 4: Sj -» C/»: {V i5 T<}. 

After receiving the message from CS, Sj computes: 

N il ®N i3 = Q i ®h(SID j \\N i2 ) 

h(A i \\B i ) = R i ®h(Na®Nia®Ni 2 ) (6) 
V* = h{h{A\\Bi)\\h{N a © N l3 © N i2 )) 

Then S'j verifies whether V* is equal to the received V{. If not, Sj 
terminates the session; Else, the legitimacy of CS is verified by Sj. 
After that, Sj sends the message {V^, Tj} to L^. 
Step 5: After receiving the message from Sj, Ui computes to get V- as follows: 

N a @N a = T i @h(Ai\\B i \\N il ) ( , 
V( = hMMWWKNn © h(N a ) © h(N a ))) {i) 

Then Uj verifies whether V( is equal to the received V^. If not, Ui 
terminates the session; Else, the legitimacy of CS and Sj is verified 
by 

Finally, U, Sj and CS can separately compute the shared session key 
SK as follow: 

SK = h{h{Ai\\Bi)\\{Ni X © N l2 © Ay) (8) 



3. Security weakness analysis of the protocol 

Although in [l6j], the authors claimed that their protocol can resist many 
types of security attacks. Unfortunately, our further research shows that Li 
et al.'s protocol contains several drawbacks and can not resist some types 
of known attacks, such as replay attack, deny-of-service attack, smart card 
forgery attack, eavesdrop attack and forgery attack. The analysis in details 
is described as follows. 
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3.1. Replay attack and Deny- of- Service attack 

Assume that a malicious attacker can eavesdrop the first sending message 
from a legitimate user to the server Sk in Stepl of the authentication and key 
agreement phase. If the message {Fj, Gj, P^, CIDi} is eavesdropped, replay 
attacks can easily be launched by retransmitting {F iy G iy Pij, CIDi} to Sj. 
This type of attacks can trick the server Sk and CS into implementing the 
following steps Step2-4. Moreover, Sk and CS can not identify the message 
replayed by the malicious attackers. Even if the user cannot get the final 
correct session key SK, the server Sk and CS have made great consumption 
of computing resources, communication resources and storage resources. A 
large number of replay attacks launched at the same time will form a Deny- 
of-Service attack, which prevents normal visits from legitimating legitimate 
users. 

3.2. Internal attack 

Assume there is an inside malicious user who has a legitimate smart 
card. From the elements stored in the smart card, the malicious user can 
straightly get h(y). The malicious attacker Uf can firstly compute his/her 
Bf(= Df@h(IDf\\Af)), and then computes h{y\\x) = Ef@Bf. By Knowing 
h(y) and h(y\\x), the attacker can further launch eavesdrop attacks to get 
the session key shared among any other users, the related service providing 
servers and CS. 

3.3. Smart card forgery attack 

Li et al.'s protocol lacks of verification of Aj, and Bi by CS, thus a ma- 
licious attacker known h(y) and h(y\\x) in advance can arbitrarily forge a 
new smart card. If the attacker wants to forge C/ S 's smart card, he/she firstly 
sets A s = Numl and Bi = Num2, where Numl and Num2 are two random 
numbers with the same length as Ai, Bi. The elements of a forgery smart 
card can be further set as: 

C s = h{ID s \\h{y)\\A s ) = C S = h{ID s \\h{y)\\Numl) 

D s = B s @ h{ID s \\A s ) = Num2 © h{ID s \\Numl) (9) 

E s = B s © h(y\\x) = Num2 © h(y\\x) 

Then if the malicious attacker wants to access the service providing server 
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Sj by using this forgery smart card. The first message can be computed as: 



F s = h(y) © N sl 

G s = h{B s \\A s \\N sl ) = h(Num2\\Numl\\N sl ) 

P sj = E S ® h{h(y)\\N sl \\SIDj) = Num2 © %||x) © h{h(y)\\N sl \\SIDj) [W) 
CID S = A s © h(B 3 \\F 3 \\N al ) = Numl © h(Num2\\F s \\N sl ) 

Following Li et al.'s protocol, this message can successfully pass the legit- 
imacy verification by CS and Sj. If the random numbers separately chosen 
by Sj and CS are N s2 and A^ s3 , the malicious attacker, Sj and CS can suc- 
cessfully agree on a common session key SK = h(h(Numl\\Num2)\\(N sl © 
N s2 ®N s3 )). 

3.4- Eavesdropping attack 

Assume the authentication and key agreement phase takes place among 
the legitimate user U m , the service providing server S n and the control server 
CS. 

There is a malicious attacker who has the ability of eavesdropping all of 
the messages exchanged among these three participants. Furthermore, The 
malicious attacker is assumed to have known h(y), h(y\\x) in advance. The 
first message is {F m , G m , P mn , CID m } send from U m . From F m , N m i can 
been easily obtained as follow: 

N ml = h(y)\\F m (11) 

Next, E m can be extracted from P mn , then B m can be extracted from E m . 
The details are described as follows: 

E m = P mn © h(h(y)\\N ml \\SID n ) 

B m = E m @h(y\\x) 1 ' 

After that from CID m , A m can also be easily extracted as: 

A m = CID m ®h{B m \\F m \\N ml ) (13) 

From the above process, only a sending message via a public channel can 
leak crucial security information (A m , B m , N ml ) of U m . Also E m stored in 
Um's smart card can also be got. Although because of the user anonymity 
support, the malicious attacker can not obtain C/ m 's identity ID m to compute 
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C m and D m , but next we will describe how to extract the final session key 
SK. 

After eavesdropping the message send in Step3 or Step4. the malicious 
attacker can extract N m2 © N m3 from T m as follow: 

N m2 ®N m3 = T m ®h(A m \\B m \\N a ) (14) 

Now, the malicious attacker can compute the final session key negotiated 
among U m , S n and CS. Furthermore, he/she can decrypted all the encrypted 
data between U m and S n . 

3.5. Masquerade attack to pose as a legitimate user 

After successfully obtaining security information of a legitimate user(such 
as U m ) via the eavesdrop attack described in Section 3.4, The attacker can 
launch the masquerade attack to act as the legitimate user. By means of 
the internal attack, the malicious attackers can know h(y) and h(y\\x). By 
means of the eavesdrop attack, the malicious attacker can further compute 
A m , B m and E m . By virtue of these information, the malicious attacker can 
pose as U m to launch authentication and key agreement phase to any other 
service providing server(Take S p for example) and CS. 

Firstly, the malicious attacker randomly select a number Nma and can 
successfully forge the first step message to pretend to be U m : 

F m = h(y) © Nma 

G m = h(B m \ \A m \ | N M a) /-.p-n 
P mp = E m ® h{h{y)\\N MA \\SID p ) 
CID rn = A m © h(B m \\F m \\N MA ) 

Then assume S p and CS separately select random numbers N m 2 and N m3 , 
and Step2-Step4 are performed normally. Then the malicious attacker, Sj 
and CS "successfully" agree on a session key SK = h(h(A m \\B m )\\(N M A © 
N m 2® N m3 )). But unfortunately S p and CS mistakenly believe that they are 
communicating with the legitimate user U m . 

3. 6. Masquerade attack to pose as a legitimate service providing server 

First assume that the malicious attacker has eavesdropped a message 
send from S n to get Ki and Mj. Furthermore assume a legitimate user 
[7 m 's security information has been leaked to the malicious attacker based on 
the internal attack and the eavesdrop attack. When U m wants to login the 
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server S n , he/she selects a random number iV ml and sends the first message 
in Stepl({F m , G, m , P mn , CID m }) to the service providing server S n . The 
malicious attacker can attack the real server S n to be down and masquerades 
to be S n himself /herself. After eavesdropping this message, the malicious 
attacker can attach Ki and Mj in the first message: {F m , G m , P mn , CID m , 
SID n , Ki, Mi }. This message can also successfully pass CS"s verification. 
N m3 is the random number selected by CS. After implementing of Step3 and 
Step4, the user U m and CS can compute the session key as 

SK = h(h(A m \\B m )\\h(N ml © N l2 © N m3 )) (16) 

And unfortunately U m mistakenly believe that he/she is communicating with 
the legitimate true S n . Although the malicious attacker can not extract the 
random number N i2 from K iy he/she still can exact the session key SK by 
means of "masquerade attack as a legitimate user" described in Section 3.5. 
So the malicious attacker can not only masquerade to be the real server, but 
also decrypt the encrypted data send from the user in the dark. 

4. Our proposed improved protocol 

In this section, we will describe an improved protocol to make up the se- 
curity weaknesses of Li et al.'s protocol. Our protocol contains three kinds of 
participants(the user, the service providing server and the controlling server) 
and contains three phases: ^Initialization and registration phase; 2) login 
phase; 3) authentication and key agreement phase. Because the notions are 
different in using from those of Li et al.'s protocol in protocol designing and 
some new notions are defined, here we firstly give the notations used in our 
proposed protocol(Summarize in Table 2). We show the protocol in Figure 
2 and provide more details as follows. 

4-1. Initialization and registration phase 

Assume the control server CS is a trusted third party responsible for 
registration and authentication of users and service providing servers. CS 
chooses two random numbers x and y. 

The registration phase of the user Ui is as follows: 

Step 1: The user Ui freely choose his/her identity IDi and password Pi, and 
randomly choose a number b. Then Ui compute = h(b\\Pi), and 
submits the message {IDi, b, Ai} to CS via a secure channel. 
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User U, 
Knows ID j ,P i 
Smart card: C„D„h(-), b 



Service Providing Server 



Knows BS,d 



Control Server 

CS 
Knows x, y 



StepK 



Input ID t ,P 

A=h(b'\\P), C" =h{ID, ||4) 
Check C" ? = C,. 
' Randomly select N n ,Generate T5, 

B t = D i ®C„F i =B i ®N n 

R =h(B.® h(N II SID, npia 
r*m J-rh mhl jy rt W n •' 



G, =b®h(B, \\"N, 
F„P, 



'S, || "00' 

lire, || "i'i") 

CID.,G.,PID.,TS 



TS, 



Step2- 



CheckPS.-re <A7 
J, = &S\ © N„,K t = h[N t2 1| PS^. ||P. 

z,,' = six © a(ss' || N i2 1|' re,. || "00") 

M,=d® /j(PS,. |[W (2 lire, || "11") 

p.p., cro. , g, , pro , re,. , j. , , z, , m. , pszd , 



re. 



Optional/' 
operation 
steps 



P„Qn R n V , 



checkrs„.-re,. <Ar 

N i2 =BS j ®J l 
K;=h{N, 1 \\BS l \\P\\ 
Checks* ? = JC 

5 =M p IPi Ml >Ma =Jj ® B ._ 
/a =pz> ©A(zy ivjjra/ii 
sro ='i, ©aTps 1 , ||'jv i2 ii rej || "Oo 7 ') 
/>." = h[^B i ®h{N n || sro,. || ppd,. || re,)) 

Check P^ = P,i_ 
'~b = G i ®}i(B i I] N a \\TS\ fpl'r) 

lrf = M,©/ ! (ss J .||7v,. 2 ||re,.H"ii") 

IP/D,* = /j(/Z> || b),PSID' =h[siD J \\ d 
^heck P/D,*? = PID^PSID' 7 = PSID^_ 
P=N ®N,®hlSID.\\N\ \\Bit)' 
Q=h{N n ®N n y ' " " 
P = N n © N a ®h[lD j || N„ || B,.) 
K=h(N n ®N a ) 



Step3 



P.,F 



N n ®N„ -- 
Q" i =h(N l 
Check g* 



■ P i ®h(SID J \\N n 

®N a ) 

' = g 



PS 



-Step4 



Step5 



- N a ® N a =R i ®h[lD l 
V" =h{N a ®N n ) 
Check V'7 = V. 



\\N a \\B) 



SK = h((N :l © N n _ © JV,. 3 ) || re,. ) 



Figure 2: The implement phases of our proposed protocol 



Step 2: After receiving the message, CS first verifies user's legitimacy. Then, 
CS computes PID l = h(ID l \\b), Bi = h(PIDi\\x). CS sends S< to 
Ui via a secure channel. 

Step 3': After receiving the smart cartl, Ui computes Q = h(IDi\\R\y"&n(v 
D, = Bi® h(PIDi © Ai). Then Ui entersQ, A, M") and b into tne 
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Table 2: Notations used in our proposed protocol 



Ui 


a user 




a service providing server 


cs 


the control server 




the identity of Ui 


SID, 


the identity of Sj 


TS t 


Timestamp value generated by U 


X 


the secret number only known to CS 


y 


the secret number only known to CS" 


b 


a random number chosen by the user 


d 


a random number chosen by the service providing server 


PIDi 


the protected pseudonym identity of Ui 


PSID J 


the protected pseudonym identity of Sj 


SK 


session key shared among the user, the server and CS 


N a , N l2 , N l3 


random numbers chosen by Ui, Sj and CS 


h(-) 


a one way hash function 


© 


the bitwise XOR operation 




the bitwise concatenation operation 



smart card. At last, the smart card contains (Q, D, h h(-), b). 

For the service providing server Sj , he / she first chooses a random number 
d, and use his/her identity Sj to register with CS. CS computes PSIDj = 
h(SIDj\\d), BSj = h{PSDj\\y). Then CS sends BSj to Sj via a secure 
channel. Sj stores BSj and d in his/her memory. 

4-2. Login phase 

When the user U wants to login to access the server Sj, U inserts his 
smart card into a terminal and inputs his/her identity IDi and password 
Pi, then computes A* = h(b\\Pi) and C* = h(IDi\\A*). If C* is equal to 
the stored Q, U is considered as a legitimate user. Otherwise, the terminal 
rejects L^'s login request. 

4-3. Authentication and key agreement phase 

Step 1: U -)■ Sf. {Fi, P i3 , CID U G t , PIDi, TSi}. 

U chooses a random number Nn and generates a current Timestamp 
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value TSi. Then Ui computes A, F { , CIDi, Pij, Gi as follows: 

E>i = A © Cj 
F i = B l @ Nn 

P, = h(Bi © h{Nn\\SIDj\\PIDi\\TSi)) (17) 
CIDi = ID i @h(B i \\N il \\TS i \\ u 0O") 
G i = b®h(B i \\N il \\TS i \\ u ll") 

Where, "00" is a 2-bit binary- "0", and "11" is a 2-bit binary-'T'. 
Then, Ui sends {F h P ih CIDi, G u PID U T%}to Sj over a public 
channel. 

Step 2: Sj ->• CS: {P„ P^, CPA, G i5 P/A, TS„ J„ A, L i5 M i? PSIDj}. 
After receiving the message from A the server Sj first checks whether 
the session delay is within the tolerable time interval AT. Assume 
the current time is TSj. If TSj — TSi > AT, the session is timeout 
and Sj terminates the session; Otherwise, Sj continues to perform 
the following operations. 

Sj randomly selects a number N i2 and computes Jj, K iy L iy Mi as 
follows: 

Ji = BSj © N i2 

Ki = h(N i2 \\BSj\\Pij\\TSi) 

U = SIDj © h(BSj\\N i2 \\TSi\\ u 00") 1 } 

Mi = d@h(BS j \\N i2 \\TS i \\ u U") 

Where, '00" is a 2-bit binary- "0", and "11" is a 2-bit binary- "1". 
Then Sj sends {P, P iv CID h d, PID U TS t , J h K h L h M h 
PSIDj} to CS over the public channel. 
Step 3: CS -> Sj: {P, Q t , A, V t }. 

After receiving the message from Sj, CS first checks whether the 
session delay is within the allow time interval AT. Assume the cur- 
rent time is TS C s- If TS C s — TSi > AT, the session is timeout and 
CS terminates the session; CS continues to perform the following 
operations. 

CS computes BSj = h(PSIDj\\y), N i2 = J t © BSj and K* = 
h(N i2 \\B Sj\\Pij\\T Si) . Then CS verifies whether K* is equal to the 
received Ki. If not, CS terminates the session; Otherwise, CS con- 
tinues to perform the following operations. CS computes the follow- 
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ing elements: 

Bi = h(PIDi\\x) 
N a = F l ®B l 

IDi = CID i @h(B i \\N il \\TS i \\ a O<y') (19) 
SIDi = Li® hiBSjWNaWTSiW'W") 
P* 3 = h(Bi ® hiNaWSIDjWPIDiWTSi)) 

Then CS verifies whether P*j is equal to the received Pij. If not, 
CS terminates the session; Otherwise, CS continues to compute the 
following elements: 



b = G i ®h(B i \\N il \\TS i \\ u U") 
d= M i ®h{BS j \\N i2 \\TS i \Y l ll") 
PID^ = h(IDi\\b) 
PS ID* = h(SIDj\\d) 



(20) 



Then CS verifies whether PID* = PIDi and PS ID* = PSIDj. If 
not, CS terminates the session; Otherwise, CS makes sure the mes- 
sages are from real Uj and Sj. After the verification, CS randomly 
selects a number N i3 , and computes P iy Q iy Ri Vi as follows: 

P = N tl ® N l3 ® hiSIDjWNnWBSj) 

= h(N n ® N i3 ) 
R i = N i2 ®N t3 ®h{ID t \\N a \\B i ) { > 

^ = h(N t2 ® N t3 ) 

Then CS sends {Pi, Q i: Ri, Vi }to Si over a public channel. 
Step 4: Sj -)• U t : {R t , V}. 

After receiving the message from CS, Sj firstly computes to get the 
following elements: 

N n ® N l3 = P t ® h(SIDj\\N i2 \\BSj) 
Q* = h(N a ® N l3 ) 

Then Sj verifies whether Q* is equal to the received Qi. If not, Sj 

terminates the session; Otherwise, the legitimacy of CS is verified 
by Sj. After that, Sj sends the message {Ri, V} to C/j. 

Step 5: After receiving the message from Sj, Ui computes to get V* as fol- 
lows: 

N i2 ®N l3 = Ri®h{IDi\\Ni l \\B i ) 

V* = h(N l2 ® N l3 ) [A6) 
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Then Uj verifies whether V* is equal to the received Vj. If not, C/j 
terminates the session; Otherwise, the legitimacy of CS and Sj is 
verified by C/j. 

Finally, C/j, Sj and CS can separately compute the common session key 
SK as follow: 

SK = h((N a © N l2 © N i3 )\\TSi)) (24) 

4-4- password updating phase 

After password based verification in the registration phase, the user C/j's 
password Pi does not appear in B{. Thus password updating/changing can 
happen in anytime. Ui need to submit his/her IDi and A\ with new password 
P/ to CS via a secure channel. CS updates C/j's password in its verification 
table. Meanwhile, C/j can update the parameters in his/her smart card: 

q = /*(/AlK) ^ 

D'^Bi® h{PIDi © ^) lZOj 

^.5. dynamic identity updating phase 

In order to prevent malicious attackers linking eavesdropped messages 
of different sessions, we can update the user's PID periodically to provide 
security. Ui reselects a random number 6 # , and compute Af = h(b#\\Pi). 
Then Ui submits {IDi,b#, Af} to CS. After verifying C/j's legitimacy, CS 
recomputes PID* = h(IDi\\b*), B* = h(PID*\\x) and submits B* to Ui 
via a secure channel. After receiving Bf, Ui computes Cf = h(IDi\\Af), 
D* = Bf © h(PIDf © Af). At last the smart card is updated to {C*, 
Df,h(-), b # }. Now C/j's protected pseudonym identity PIDi is dynamically 
changed to PIDf . 

Service providing servers can also periodically update their protected 
pseudonym identities. Take Sj for example, Sj reselects a random num- 
ber <i # , and use his/her identity Sj to register with CS. CS computes 
PSID* = h(SIDj\\d*), BSf = h(PSD*\\y). Then CS sends BSf to Sj 
via a secure channel. Sj updates BSf and <i # in his/her memory. 

5. Security analysis of our protocol 

In this section, we summarize security analysis of our proposed protocol 
and compare it with other two related protocols. First we list security func- 
tionality comparison among our protocol and other two related protocols in 



15 



Table 3. It demonstrates that our protocol is more secure than other two 
related protocols. 

Table 3: Security functionality comparison of our protocol and two other related protocols 



Security 


Our proposed 


Li et al.'s 


Sood et al.'s 


functionality 


protocol 


protocol(2012) 


protocol(2011) 


User anonymity 


Yes 


Yes 


Yes 


Mutual authentication 


Yes 


Yes 


Yes 


Session key agreement 


Yes 


Yes 


Yes 


Password updating 


Yes 


Yes 


Yes 


Dynamic identity updating 


Yes 


No 


No 


Traceability 


Yes 


No 


No 


Identity protection 


Yes 


No 


No 


Resistance of Insider attack 


Yes 


No 


No 


Resistance of Stolen smart card attack 


Yes 


Yes 


No 


Resistance of replay attack 


Yes 


No 


No 


Resistance of Deny-of- Service attack 


Yes 


No 


No 


Resistance of eavesdrop attack 


Yes 


No 


No 


Resistance of masquerade attack 


Yes 


No 


No 



Here we discuss the main security features of our proposed protocol in 
details: 

5.1. Providing user anonymity 

For the user we use PlD i instead of IDi. By using protected pseudonym 
identities of users instead of real ones, the malicious attacker can not get user 
identities. Meanwhile service providing servers can not know users' real iden- 
tities either. In this way, our protocol provides user anonymity. Furthermore, 
updating users' pseudonym identities periodically can prevent the malicious 
attacker linking eavesdropped messages of different sessions from the same 
user. 

5.2. Providing traceability 

Despite of user anonymity, CS can still extract users' real identities and 
link them with protected pseudonym identities. This make our protocol have 
the feature of traceability. This is newly-added function in our proposed 
protocol different from Li et al.'s protocol. 
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5. 3. Providing identity protection 

Using protected pseudonym identities of users and service providing servers 
ensures that only legitimate CS can get their real identities. This can prevent 
the leakage of private user identities and server identities to malicious at- 
tackers. Moreover, in order to prevent malicious attackers link eavesdropped 
messages of different sessions, protected pseudonym identities of users and 
service providing servers are dynamic and can changed in any time. 

5.4- Resistance of insider attack and smart card forgery attack 

As in Section 3.2, within Li et al.'s protocol, an internal attack can cause 
information leakage. h(y) and h(y\\x) are the common parameters for all 
users, which can further launch eavesdrop attacks, smart card forgery attacks, 
masquerade attacks and so on. In our proposed protocol, we do not straightly 
use h(y), h(x), h(y\\x) directly. Take the user Uf as insider attacker for 
example, We use Bf = h(PIDf\\x) and compute to get Cf, Df in his/her 
smart card. Uf can not guess to generate parameters of any other users' 
smart cards and can not masquerade as any other legitimate user by using 
security information of himself /herself. 

5. 5. Resistance of stolen smart card attack 

In our proposed protocol, we firstly assume that if a smart card is stolen, 
physical protection methods can not prevent malicious attackers to get the 
stored secure elements. Still take U{ for example, if his/her smart card is 
stolen, the malicious attacker can get (Cj, Dj, h(-), b). But without inputting 
right password P iy the malicious attacker can not compute A iy and further 
extract Bi from D{. 

5.6. Resistance of replay attack and Deny- of- Service attack 

Firstly the timestamp value is used in our proposed protocol which makes 
the malicious attacker can not use early message to launch replay attacks. 
This makes replay attacks and Deny-of- Service attacks hard to be launched. 
Using Pij and TSi in computing Ki avoids the case in Li et al.'s protocol: 
If Ki and Mj attached by the service providing server Sj are eavesdropped, 
they can be used to launch replay attacks, which is described in Section 3.6. 
Moreover using and verifying timestamp can reduce the success rate of replay 
attacks. 
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5. 7. Resistance of eavesdrop attack 

The malicious attacker can not extract private security information from 
eavesdropping messages over public channels. Different from Li et al.'s pro- 
tocol, because of using PID in compute B { and not sharing h(x) and h{y\\x) 
between CS and every user , the malicious attacker can not use one user's 
elements to extract any other user's security elements in our proposed pro- 
tocol. Moreover, the malicious attacker can not compute Na © N i2 © N i3 , so 
SK can not be computed by the malicious attacker. 

5.8. Resistance of masquerade attack 

The malicious attacker can not derive U^s security information from 
eavesdropped sending messages among Ui, Sj and CS; Meanwhile, the ma- 
licious attacker can not forge other user's smart card from known security 
information of a malicious inside user. Furthermore, Using the timestamp 
value prevents replay of the first message. Because of the above 3 reasons, 
users can not be masqueraded by malicious attackers, because of using Pij 
and TSi in computing Ki, the malicious attacker can not replay S/s mes- 
sage to attach to the end of the message in Step 1, thus servers can not be 
masqueraded by malicious attackers. 

6. Performance Analysis 

In this section, we evaluate the computational complexity, computation 
overhead, storage overhead of our proposed protocol and give the comparisons 
with other two related protocols: Li et al.' protocol[16| and Sood et al.'s 
protocol[ll|. Before analyzing in details, we first give the notation Th as h as 
the time of computing the hash operation. Because XOR and "| |" operations 
requires very few computations, they are usually omitted in computational 
complexity computation. 

Table 4: Computational complexity comparison of our protocol and two other related 
protocols 

Protocols login phase authentication and key agreement phase 





Ui 


U 


Si 


CS 


Our proposed protocol 




^Thash 




8T hash +(optional)5T hash 


Li et al.'s protocol(2012) 




8Thash 






Sood et al.'s protocol(2011) 


1 T 

- 1 hash 




^^hash 


1 lT hash 
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Firstly, Computational complexity comparison of our protocol and the 
other two related protocols is given in Table 4. As in |16j, we only take 
the login phase, authentication and session key agreement phase into consid- 



eration. Different from the description in [16fl . the description of the login 



phase in Li et al.'s protocol relates only to user le giti macy the by terminal. 



Similarly, we merge step 2 of the login phase in [16| into the first step of 



the authentication and key agreement phase. The similar decryption mod 



ification is adopted to Sood et al.'s protocol [ll|. Furthermore, There are 



separately 1 time of hash computation for computing SK for the user, the 
service providing server and CS, which is not mentioned in Table 4. From 
Table 4, it is obvious that our protocol almost has the same computational 
complexity with the other two related protocols. In the authentication and 
key agreement phase of our proposed protocol, CS have five optional hash 
operations, which proving the function of traceability. 

Secondly, we discuss about communication overhead, our proposed proto- 
col and other two related protocols all require 4 times of message transmission 
in the authentication and key agreement phase. Take Ui, Sj and CS for ex- 
ample, four times of message transmission are £/, — > Sj, Sj —> CS, CS —> Sj 
and Sj — > Ui, which is demonstrated in Figure 1 . 

Thirdly, just as Li et al.'s protocol and Sood et al.'s protocol, our proposed 
protocol also do not require every service providing server to maintain a 
verification table. Meanwhile CS maintains a verification table which is 
only required to search in the registration phase. CS don't need to use the 
verification table in the authentication and key agreement phase. Each user 
only needs to have a smart card. Each service providing server(Take Sj for 
example) only needs to store BSj and a randomly chosen numbered obtained 
in the registration phase. Besides the verification table, CS only knows x 
and y. 



7. Conclusions 

In this paper, based on discussing the security weaknesses of Li et al.'s 
protocol, we propose an improved dynamic pseudonym identity based au- 
thentication and key agreement protocol, which is suitable for the multi- 
server environment. Compared with related protocols, our proposed pro- 
tocol is demonstrated to satisfy all the essential security requirements for 
authentication and key agreement in the multi-server environment. Mean- 
while, in comparison with Li et al.'s protocol and Sood et al's protocol, our 
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proposed protocol keeps efficient, such as low computational complexity, low 
communication overhead and low storage overhead. In the future, we will 
survey suitable solutions to further reduce the computational complexity and 
improve protocol performance while not reducing security. 
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